‘One of the Worst Ever’: Chip Security Flaw Affects Virtually All Modern Devices

A Google-affiliated team of security analysts have announced that virtually all modern computers are vulnerable to hacking due to a set of security flaws in chips from three of the largest software makers.

Chips from Intel, Arm Holdings and Advanced Micro Devices (AMD) all contained the flaw, according to a new report from Alphabet, Inc.'s Google Project Zero, whose stated goal is to determine security faults in new software on zero day — that being the day that hackers discover the flaw in any given software.

The flaw, code named "Spectre," allows chips from the three companies to be tricked into giving up secret information to hackers. Furthermore, Intel chips suffer from a separate flaw called "Meltdown," which allows hackers to bypass hardware barriers, allowing them to read memory and steal passwords.

Intel chips made in the last decade have a defect with their kernel memory, which normally cannot be accessed by users because it allows the processor to interface with applications. Meltdown allows the technologically savvy to access the kernel memory, which can expose private information such as passwords and exploit other flaws in the computer's security.

Speaking to Reuters, Project Zero member Daniel Gruss, who is also a researcher with the Graz University of Technology, referred to Meltdown as "probably one of the worst CPU bugs ever found."

Gruss added that Meltdown would be relatively easy to fix with software patches, but Spectre, while less dangerous, applies to far more devices and will be much more difficult to remedy.

The announcement sent shockwaves through the cybersecurity world. Intel and ARM on Thursday both announced their intent to release a patch as soon as possible that would purportedly close the hole through an update to their operating system.

"Intel has begun providing software and firmware updates to mitigate these exploits," Intel said in a statement. "Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time."

ARM spokesman Phil Hughes, meanwhile, said that they had already shared the patch with their partners, including Google (which extensively uses ARM processors in its Android mobile devices) and Samsung.

"This method only works if a certain type of malicious code is already running on a device and could, at worst, result in small pieces of data being accessed from privileged memory," Hughes said in an email statement.

Google issued a statement of their own, saying that their Android, Nexus and Pixel phones are protected, provided they're running the latest security updates. Users of Google's Chrome web browser and most of Google's Cloud projects will need to install updates.

Project Zero also said that Apple and Microsoft would issue patches of their own. Microsoft has declined to comment, while Apple has said that all Macintosh systems and devices running their Apple IOS are affected — but there were no reports of consumers being affected.

Speaking to Radio Sputnik's Loud & Clear with Brian Becker and John Kiriakou, NSA veteran-turned whistleblower William Binney called these security holes a major threat to privacy, as no computer is secure from government snooping. "If they're after you, they're going to get you," Binney said. "They have many ways of hacking through operating systems, firewalls, passwords — so if they're really after you, you're dead."

​The flaw, according to Binney, "goes back to GCHQ [the Government Communications Headquarters, the British signal intelligence agency] hacking into Gemalto, a company in the Netherlands where they were manufacturing chips, and what they did was they scraped off the web all the equivalence of access codes and identifiers of devices. That's what you put in your computer or cell phone, so that when you log on your identifier goes up. That means the system has your access code to connect to you and send data to you."

"But when they did that they pulled down billions of relationships in the chips. If you have a computer or a cell phone, and you log onto the network, your identifier goes up. Then your access code is the network, it knows that from the chip, and therefore you can then work on the network. Your password is something that could protect your files, but the GCHQ was trying to break through passwords so now they can go directly to that attempt any time you log on anywhere in the world."

In other words, even encrypted communications through applications like Protonmail or WhatsApp are no protection from signals from intelligence agencies like GCHQ or the NSA because they have the ability to access your data directly through the computer's chip.

Hello,
!

We are committed to protecting your personal information and we have updated our Privacy Policy to comply with the General Data Protection Regulation (GDPR), a new EU regulation that went into effect on May 25, 2018.

Please review our Privacy Policy. It contains details about the types of data we collect, how we use it, and your data protection rights.

Since you already shared your personal data with us when you created your personal account, to continue using it, please check the box below:

I agree to the processing of my personal data for the purpose of creating a personal account on this site, in compliance with the Privacy Policy.

If you do not want us to continue processing your data, please click here to delete your account.

promotes the use of narcotic / psychotropic substances, provides information on their production and use;

contains links to viruses and malicious software;

is part of an organized action involving large volumes of comments with identical or similar content ("flash mob");

“floods” the discussion thread with a large number of incoherent or irrelevant messages;

violates etiquette, exhibiting any form of aggressive, humiliating or abusive behavior ("trolling");

doesn’t follow standard rules of the English language, for example, is typed fully or mostly in capital letters or isn’t broken down into sentences.

The administration has the right to block a user’s access to the page or delete a user’s account without notice if the user is in violation of these rules or if behavior indicating said violation is detected.